File CVE-2016-2538-qemuu-usb-integer-overflow-in-rem... of Package xen.10697

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch of Package xen.10697

References: bsc#968004 CVE-2016-2538

Subject: usb: check RNDIS buffer offsets & length
From: Prasad J Pandit pjp@fedoraproject.org Wed Feb 17 00:23:41 2016 +0530
Date: Tue Feb 23 10:38:01 2016 +0100:
Git: fe3c546c5ff2a6210f9a4d8561cc64051ca8603e

When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/hw/usb/dev-network.c
@@ -913,8 +913,9 @@ static int rndis_query_response(USBNetSt
 
     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
     buflen = le32_to_cpu(buf->InformationBufferLength);
-    if (bufoffs + buflen > length)
+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
         return USB_RET_STALL;
+    }
 
     infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
                             bufoffs + (uint8_t *) buf, buflen, infobuf,
@@ -959,8 +960,9 @@ static int rndis_set_response(USBNetStat
 
     bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
     buflen = le32_to_cpu(buf->InformationBufferLength);
-    if (bufoffs + buflen > length)
+    if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
         return USB_RET_STALL;
+    }
 
     ret = ndis_set(s, le32_to_cpu(buf->OID),
                     bufoffs + (uint8_t *) buf, buflen);
@@ -1210,8 +1212,9 @@ static void usb_net_handle_dataout(USBNe
     if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
         uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
         uint32_t size = le32_to_cpu(msg->DataLength);
-        if (offs + size <= len)
+        if (offs < len && size < len && offs + size <= len) {
             qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
+        }
     }
     s->out_ptr -= len;
     memmove(s->out_buf, &s->out_buf[len], s->out_ptr);

Places

File CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch of Package xen.10697

Places